Why rootkits mean you must nuke your machine

Why rootkits mean you must nuke your machine

Summary: At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio explained the only reliable method of dealing with rootkits

SHARE:
TOPICS: Security
5

How can we detect rootkits?
There are a number of tools, including: VICE, Patchfinder2, Rootkit Revealer, Klister/Flister, F-Secure Blacklight, Microsoft File Checksum Integrity Verifier, Windows Preinstallation Environment (WinPE), Bootable Antivirus and Recovery Tools (Bart PE), Knoppix Security Tools Distribution (STD).

The ones at the top of this list examine the operating system from the inside, which means they often cannot detect the rootkit code. A lot depends on the quality of that code. Rootkit Revealer sometimes detects Hacker Defender, sometimes it doesn't. It totally depends on the attacker.

WinPE and Bart PE and Knoppix STD all rely on external operating systems loaded on CDs or thumbdrives, and they do not activate the local operating system that you're attempting to scan. They let you examine it from the outside.

There is no way to hide from an external scanner, but if the rootkit is customised then again it can be very difficult to detect. One solution is to look at the entire file system and dump it to a text file externally, then boot the suspect operating system, examine everything from within it and dump that to a text file. If I then see eight extra files on the first version that don't appear on the second version I might find that one is a rootkit, one is a virus or even a movie. That is a very reliable technique.

Of course the concern is that this is not practical when you have 80,000 PCs and 700 servers. How do you detect rootkits on those? There can be tell-tale signs. At the University of Washington they find at least two rootkits a week. The students are doing nothing [with the rootkits] but hiding movies. The university identifies systems that have rootkits because in that case they have enormous amounts of network traffic. If you have 50 people pulling a 4GB DVD off a server that normally has just 1Mbit throughput, then you should be concerned. So one way to scan for rootkits is to look for footprints and ask yourself what is it doing to my system?

How do we remove rootkits?
There is only one guaranteed way to remove a rootkit: you destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever.

You can't delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit's primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?

Are there any defences?
You should use malware scanners, firewalls, intrusion detection and prevention, strong passwords, regular patches and audits. They are easy to prevent, but extraordinarily difficult to remove.

What does the future hold?
We found one example of a rootkit recently that hides itself in video memory, and every time the system boots it loads up. This means that it doesn't exist on the hard drive, and so the only time you can detect it is when the system is running, which is when it is able to hide itself. That's where we see things going: harder to detect, better cloaking. And of course finding its way into DRM technology, and increasingly into spyware too.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • A rootkit exists in video memory?? Is this video memory volatile or non-volatile? If volatile then where is the rk stored if not on the HD? If non-volatile then how will a system nuke fix things?
    anonymous
  • wouldn't it solve the problem if the OS does not allow the system to hide the file and behave as a rootkit in the first place? or if it has stricter rules to govern the use of rootkits even for legitimate reasons?
    anonymous
  • This article is woefully uninformed, from the meaning of rootkit, to the suggestion that you must nuke the system rather than restoring a ghost image of the hard disk that is made on a regular basis.

    "root" comes from root under Unix. The term doesn't even describe sony's code. A root kit installs over system programs and generally collects data for a hacker. Sony's program is simply a stealth program that uses traditional methods of hiding processes on Windows. Thats not a root kit. If it replaced the login program, or replaces the explorer program, it would be a rootkit. Key to a rootkit is the fact that it replaces a legitimate program with its own rendition which collects some data.

    Yes, Sony's "rootkit" hides itself. But any program in windows can hide itself...it doesn't have to be root to do so, and it doesn't have to replace any program on the system to do so. It simply hooks the kernel dll calls and layers itself on top. This technique has been around since windows 3.0. But its not a rootkit.
    anonymous
  • Rootkits should be viwed exactly the same as other attacks on our PC's, they are secrative, no permission has been given for them to tresspass on our property and they are not neutral they do something to you. Sony's actions were disgraceful company's have no right to intrude and trespass without property. They should be legaly responsible for their actions. This reminds me of the Tesco tracking chip - who do they companiers think they are. Consumer boycotts are a good start they will soon cease these activities
    anonymous
  • Try reading and fixing the terribly high amount of typos in this piece!!

    otherwise it's quite good!
    anonymous